Test Your Information Security IQ

Information security is a dynamic field and, although accounting
professionals have become much savvier on the subject, keeping track
of the latest best practices can be a daunting task. How current are
you? Take this quiz on information security basics to find out.

1. Because no single antivirus program can protect against all
viruses, you can enhance protection by installing several different
antivirus programs from trusted vendors. True or False?

2. Your company maintains a virtual private network (VPN) that
allows off-site employees to connect to the company network via the
Internet. The VPN uses the latest and most secure encryption
available, encoding all data from the remote computer all the way to
the office server. By loading the VPN software on public computers,
like those at hotel business centers, you can transact sensitive and
confidential business over your company network with a high level of
confidence in the security. True or False?

3. Wired Equivalent Privacy (WEP) encryption on Wi-Fi networks,
which was cracked several years ago, should be avoided at all costs. True or False?

4. Using Wi-Fi Protected Access (WPA) encryption and media access
control (MAC) address filtering on your Wi-Fi access point does not
provide sufficient protection for transacting sensitive and
confidential business via the Internet from your wireless device or
laptop computer. True or False?

5. You receive an e-mail from your company’s IT administrator
warning that a new security hole has been discovered in your corporate
software. The e-mail provides a link to a patch site and directs you
to download and install a patch to plug the vulnerability. Before
clicking on the link and installing the patch, you should verify the
legitimacy of the e-mail. True or False?

6. Your company maintains a top-notch information security program.
To capitalize on this strength, your marketing manager wants to build
an ad campaign promoting your airtight information security. Your
company is in an information-intensive industry, so this might lead to
a competitive advantage with little downside. True or False?

7. A trusted IT employee quits the company in a huff. Security
escorts him off the premises. To prevent potential mischief, you
immediately eliminate the employee’s login IDs and passwords from the
company information systems and disable all other access to company
premises, such as his door keycard and security pass. You and the
company can breathe easily. True or False?

8. Shortly after 9/11, your company increased its focus on
contingency planning and installed surge suppressors and two-hour
uninterruptible power supplies (UPS) on all computing and network
equipment. Your employees can now continue to work through a
short-term power outage (up to an hour or two) without problems. True or False?

9. You have noticed employees downloading music and videos on their
office computers during their breaks. While this technically violates
the acceptable use policy, the employees are using headphones, not
disturbing others, their productivity is not suffering, and they seem
to be enjoying listening to the music while they work. Any action
taken to halt the practice would negatively impact morale more than it
would enhance security. True or False?

10. Since you are the only person who uses your office computer, and
your office is locked every time you leave, even for a moment, there
is no need for the hassle of a Windows startup login and password on
your computer. True or False?

ANSWERS 1. False. Antivirus programs frequently
compete with each other, slowing down your system, delivering false
positives and possibly interfering with each other’s effectiveness. A
single, reputable antivirus software package is your best bet—as long
as you keep the signature files updated.

2. False. VPNs offer nearly bulletproof
protection against network eavesdropping and Internet interception.
They are fine for remote access via your personal laptop. But they do
nothing to protect you against the numerous threats posed by public
computers. Whether in a hotel business center, Internet cafe or
conference lounge, public computers are notorious for security
vulnerabilities and threats. Users can unwittingly infect a machine
with malware that can elude your VPN and affect your applications.

And no matter how sophisticated the VPN security suite, it cannot
detect or protect against keyboard loggers—little devices that may be
plugged between the keyboard and computer case itself. What’s more,
VPN clients cannot guard against over-the-shoulder peeping or
high-resolution surveillance cameras. Loading your VPN on a public
computer could even compromise your virtual network’s security.

3. False. Earlier this decade, news surfaced
that WEP could be cracked by stimulating, capturing and analyzing huge
numbers of packets from a WEP-protected wireless access point. But
contrary to popular press coverage, cracking WEP requires a level of
sophistication well beyond the capability of most hackers. And
manufacturers have altered the design of the equipment to better block
such attacks.

Computers built after 2003 are capable of handling the newer, better
and more complex WPA encryption techniques. However, all computers on
a network must be able to use WPA before it can be utilized for any of
them.

WEP might be your only security option if you have older hardware on
your network. For low-risk applications, including casual home use,
using WEP is far better than using no encryption at all. If you are an
attractive target or handle sensitive information, consider upgrading
your equipment so you can deploy WPA.

4. True. Many professionals overlook the
fact that WPA and WEP protect only the wireless link between the
mobile computer and the access point. Once the data hits the access
point, some other means of encryption must be used for protection
along the remainder of the network path, especially on the Internet.
Encryption such as a VPN, Secure Sockets Layer (SSL), or secure HTML
(SHTML) provides end-to-end protection and should always be used in
addition to the wireless link protection.

5. True. A common phishing technique
involves sending an e-mail pretending to be a trusted insider, and
directing a recipient to click on a link. There are many ways to fake
a return e-mail address, and just as many ways to fake a URL so that
it points to a site other than what appears in the link. The link
actually points to a malicious Web site, where a Trojan or other
malware can automatically be installed by the browser.

Before clicking on a link in an e-mail, always verify the e-mail is
legitimate and actually came from the party it purports to be from. In
accounting, you would never act on a demand for immediate payment,
even from a trusted vendor, without first verifying the demand’s
authenticity. Likewise, you should not follow directions in an e-mail
until you’ve satisfied yourself it is authentic. Many businesses
spread the word via e-mail bulletins about patches and other
precautions IT is asking users to take. If you haven’t seen an alert
or if your company doesn’t issue such warnings, contact an IT
administrator before clicking on a link.

6. False. Bragging about your security is an
open invitation for sophisticated hackers to try their hand at
breaking in. No matter how good your security is, it can never be 100%
safe. It is better to keep a low profile and hope the best hackers
won’t notice your organization. It is true that
security-through-obscurity is no protection, but advertising your
pride is tantamount to issuing a challenge for those who otherwise
might not have had any reason to bother your company. It’s not worth
the risk of becoming an attractive target.

7. False. Trusted IT employees are
problematic because they have access to the inner sanctum of the
information system. An employee can stew a long time before leaving
and take advantage of his position to plant a time bomb, open a
backdoor access, or otherwise introduce vulnerabilities to the system.
Anytime an IT person leaves, you must be on high alert on multiple
fronts.

8. False. UPS systems rely on batteries, and
the shelf life of a UPS battery is seldom more than a couple of years.
Surge suppressors also lose their effectiveness as their components
age. Equipment that hasn’t been tested or updated since 2001 probably
offers little or no protection today. If you don’t have a schedule for
inspecting and updating your equipment regularly, you may not have the
protection you think.

Also, your contingency plan should consider lighting, ventilation,
sanitation and other essential systems necessary for employees to
continue working during a power failure. Some fire codes and local
ordinances prohibit the occupancy of buildings without commercial
power unless alternate electrical sources are provided for fire
detection, lighting and security systems, among other services.

Finally, keep in mind that relying on even the best UPS system to
support continuing operations is like placing a net under a trapeze.
Most of those systems are only intended to support a safe landing for
your interrupted IT operations.

9. False. Several issues must be considered
when employees download music or videos at work. Employees could be
downloading and trafficking in illegal copies of copyrighted material,
exposing your company to legal risks. Also, media files are often
large. The downloads may bog down your network.

Furthermore, failure to enforce an acceptable use policy leads to
lackadaisical attitudes and diminishes respect for other policies.
Finally, and most importantly, there is always the danger of a virus
or Trojan riding into your network by piggybacking on, or even being
disguised as, a popular media title or link.

10. False. If your computer is not protected
by startup passwords, there is always a possibility an intruder can
copy data from your hard drive. It’s crucial to keep your computer
locked down by using startup IDs and passwords. The couple of seconds
of effort, even several times per day, may be well worth the
protection of your data.

Here’s an additional consideration: Running your computer under a
default account means that all programs have administrator privileges.
If a virus makes it through your virus-checker, it can do some damage.
It is better to have two logins, one as administrator and one with
restricted privileges. Log in using the restricted account for normal
day-to-day operations, preventing viruses and other malware from
loading and executing. You can log in as the administrator if you need
to add programs or software.

Scoring: If you answered nine or 10 questions
correctly, keep up the good work. You are well-versed on the latest
developments. Continue to update your knowledge about risks to
information security assets and the best countermeasures.

If you answered seven or eight questions correctly, that’s not bad,
but it might be time to think more broadly about peripheral threats
and potential weaknesses in your systems. Reading the latest security
literature is essential.

If you answered fewer than seven questions correctly, reassess your
strategy for staying current on developments in information security.
Knowledge building should be a part of your information security
strategic plan. You may also need to assess the vulnerability of your
information assets.

David R. Fordham, CPA, CMA, Ph.D., and
Bradley M. Roof, CPA, CMA, Ph.D., teach
accounting at James Madison University in Harrisonburg, Va. Their
e-mail addresses, respectively, are fordhadr@jmu.edu and roofbm@jmu.edu.

TAX NEWS

President Barack Obama signed legislation that retroactively extended more than 50 expired tax provisions for 2014, allowing taxpayers to take advantage of a host of tax incentives during this filing season.

A weekly snapshot of global accounting with news from the Journal of Accountancy and other leading accounting publications. It includes summaries of what matters to you, written by expert editors to save you time and keep you informed and prepared.